Hi Dirk: Dirk Reske wrote: > Patrick Patterson schrieb: >>> >> Second, >> it's just plain bad PKI to put attributes in Identity Certificates. >> >> > What do you mean with this? > Well, to quote IETF RFC3281 (which has to do with Attribute Certificates):
"Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process. Authorization information may be placed in a PKC extension or placed in a separate attribute certificate (AC). The placement of authorization information in PKCs is usually undesirable for two reasons. First, authorization information often does not have the same lifetime as the binding of the identity and the public key. When authorization information is placed in a PKC extension, the general result is the shortening of the PKC useful lifetime. Second, the PKC issuer is not usually authoritative for the authorization information. This results in additional steps for the PKC issuer to obtain authorization information from the authoritative source. For these reasons, it is often better to separate authorization information from the PKC. Yet, authorization information also needs to be bound to an identity. An AC provides this binding; it is simply a digitally signed (or certified) identity and set of attributes. " (where PKC is a public key certificate (i.e.: Identity Certificate) and AC is an attribute Certificate). Now - the problem with implementing ACs, is that there are VERY few systems out there that implement them correctly, or at all - unless you are in a position to control everything about your environment (i.e.: Military or Intelligence agency), then ACs probably won't work in your environment. So, to achieve the separation of Attributes and Identity, as I said in my other mail, you should probably look at a technology that was conceived for the express purpose of transmitting attributes about a security principle around - i.e. Identity Federation :) Have fun. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
